Systems of Magic, and a request

Dec. 4th, 2008 05:33 pm
rising_moon: (Default)
[personal profile] rising_moon
Recently I've read a few excellent fantasy novels which were written around believable, consistent, and reasonable systems of magic. Believable magic is one of the elements that will sell me on a writer. I've enjoyed The Abhorsen Trilogy, by Garth Nix, and, most recently, The Name of the Wind, by Patrick Rothfuss.

I've learned that Brandon Sanderson, who wrote this essay on systems of magic, is going to finish Robert Jordan's 12th and final novel of the Wheel of Time series. Depending on my Lady's response to his work, I might take up the first one. :)

Unrelatedly (maybe): can any of you recommend a good history (articles, blogs, anything) of technical approaches to affixing Identity? That is, assuring that individuals are who they say they are? I'm making a study of transaction psychology -- financial services inclined but not fixed -- and would love some background data on approaches to identity assurance. Thanks!
Tags:
Flat | Top-Level Comments Only

Date: 2008-12-05 08:30 pm (UTC)
From: [identity profile] rising-moon.livejournal.com
This is a great idea -- but I wonder if what you're really testing for, here, is mathematical genius. :)

Can you extrapolate from there to a Factoring problem that can be individuated up and down the mathematics affinity scale? I'm sure the theory can transpose across skill sets.

Date: 2008-12-05 08:41 pm (UTC)
From: [identity profile] dreda.livejournal.com
Can you extrapolate from there to a Factoring problem that can be individuated up and down the mathematics affinity scale? I'm sure the theory can transpose across skill sets.

I'm all fluttery over here now...

Date: 2008-12-08 08:08 pm (UTC)
From: [identity profile] rising-moon.livejournal.com
*kiss*

Date: 2008-12-05 09:33 pm (UTC)
From: [identity profile] dilletante.livejournal.com
i think the factoring problem in this example reduces to knowing a secret. you don't factor the big number by being better at math than anyone else; you factor it by already knowing one of the factors, which other people don't know. (this is how public key cryptography works.)

(i find your question interesting because it's something i've idly speculated about before-- now i'm going to tie both your threads together-- by wondering if teaching all my friends to juggle would let me figure out whether they'd been replaced by doppelgangers who also stole their memories, if said doppelgangers didn't also have their skills... :) :) :) )

(or more generally, people have distinctive and recognizeable ways of doing a lot of physical skills-- walking, dancing, fighting, tapping morse code-- that might not be duplicated along with their knowledge.) )

Date: 2008-12-08 08:13 pm (UTC)
From: [identity profile] rising-moon.livejournal.com
This end of user authentication is really what I'm interested in. The field of "what you know (data)" is pretty much set: very few people know your SNN, your DOB, and your parents' alternate names, but fewer know the color of your first car, the street you lived on two moves ago, etc. All good. "What you are" is simple biometrics, with their several technical challenges and ROI equations.

But "how you do what you do" is interesting! I explored "user fist" algorithms at my previous employer's, and for several reasons the system proved unreliable. That is, unreliable for the purposes of securing the information we were securing. But something like the "user fist" (or "user facility" in some other arena, like juggling) must be unique enough...

We need an individuated Turing Test.

Date: 2008-12-09 06:01 am (UTC)
From: [identity profile] kyttle.livejournal.com
I find this stuff really fascinating, too, and spent part of high school trying to get a teacher to support me in an attempt to write a program that could identify an author by their style (no luck, sadly).

This problem is reminds me a lot of determining whether or not a sequence of number is random. Please pardon the obligatory Dilbert comic: Image

Any attempt to read a sequence of actions and determine if it was generated by a specific person is going to have to be probabilistic, just like a test for randomness. It seems to me like the trick is accurately calculating that probability. Take identifying someone by their typing style, for instance. We can ask someone to type some passage of text and measure the accuracy and time between keystrokes to try to identify a user. But users will vary, and it is almost certain that in a large enough pool of people there will be two whose variations overlap somewhat. The users won't be identical, but there will exist certain output sequences that will be plausible for either user. Then the trick is determining which user is more likely.

I feel that this is a problem that humans may be a lot better than computers at.

Another point of interest: people change over time, so the authentication will have to change as well. Skills improve or deteriorate. If you ask a user to type a specific passage to identify themselves a lot, they will get better at typing that passage, and maybe at typing in general. When I was researching identifying authors by their writing styles, I found out that authors change style a lot over the course of a lifetime, to the point that an author's early work and later work may be less similar than some different authors are.

On a practical level, how would you maintain the authentication scheme in the face of changing skills? On a philosophical level, if a person's skill changes so much so that they no longer authenticate, is the authentication test right? Are they a different person?

This would make a great discussion over a bottle of wine some day

Date: 2008-12-09 06:35 am (UTC)
From: [identity profile] kyttle.livejournal.com
Apparently, part of an O'Reilly book is on identifying users based on their typing: http://safari.informit.com/0596008279/securityusability-CHP-11-SECT-1

It looks like the book has good references in it based on the preview that they put on the web. Maybe it'd be worth checking out. Or at least finding someone with a subscription to their books...

Date: 2008-12-09 04:26 pm (UTC)
From: [identity profile] goldsquare.livejournal.com
You are having a great deal of fun at the intersection of probability and statistics. :-)

There are great books on issues of identity, from a non-rigorous standpoint. There is a famous medical case of a man who took an iron bar through his skull. Upon removal, he was "himself", but had a different (and far more irascible) personality.

The old man is the infant, in terms of identity. Because of continuity. The weaknesses of security (as I said above, what you have, are or know) is that all of them can be disrupted. You can lose your key, lose a hand or fingerprint, or forget a rarely used password.

(People know my father-in-law for his incredible roller-blading abilities. But thanks to Parkinson's, he hasn't strapped on skates for a decade. Is he still the same identity?)

Date: 2008-12-10 03:15 pm (UTC)
From: [identity profile] rising-moon.livejournal.com
From the point of view of his banking institution, yes, your father-in-law and the Iron Bar Man are their self-same identities -- but I see what you're getting at: for the purposes of proving he is who he is, a man's store of proof is impaired or changed over time.

That is true of any identity measure. I would argue that those cases illustrate the importance of improving the accuracy and affordability of biometric identity measures, but also, by extension to other kinds of accident or mishap, the importance of layering the modes of measure. I'm all for stacking the modes if it means decreasing the likelihood that someone can pretend to be me.

People know my father-in-law for..

Hmm. This starter might actually be the only real measure: who you know. :)

Date: 2008-12-10 03:29 pm (UTC)
From: [identity profile] goldsquare.livejournal.com
Hmm. This starter might actually be the only real measure: who you know. :)

Which is a nice entry point into your learning about the notion of "web of trust" and web-based certificates. :-)

As a Software QA professional, let me dazzle you with math. Let us say that we have something we want to secure, and so we secure it with 3 methods: what you have (H), what you know (K) and who you are (U).

Let me make the math easy: the false-positive rate (how often a person can fake a method) is 10%, meaning 1 time out of 10 you can fake your way in past any single method. The probability you can fake your way past all three methods is H-fail * K-fail * U-fail = .10*.10*.10 = .001 or 1 failure in a thousand. That's GREAT.

Now, let's pretend that the false-negative rate is half that. Half the time you should be able to log in, you can't. What's the rate of that? It turns out it is H-not + K-not + U-not = .05 + .05 + .05 = .15

You've spiked the lockout rate, hugely. Whatever your guarding had better be worth it, because a lot of legitimate access is going to be denied. This is the crime of probability, for when unlikely things have to happen together, you multiply the probabilities, but when they happen separately you add them.

Now: let's say you want to fix the false negatives, by having some way to replace "what you have, are or know". You've moved the problem because all the Black Hat has to do, is force the replacement process to fail and give him access, 3 times. Perhaps as few as twice. (If you'll replace what I had and lost for me, using only who I am or what I know, you've essentially removed the what I have requirement.)

How many repetitions of fixing false negatives will you allow? If they are infinite, the odds of a determined attacker winning are very good. If they are not, you are starting to help yourself more.

There is a reason why most systems are secured by only one layer of security.

Date: 2008-12-09 05:38 am (UTC)
From: [identity profile] kyttle.livejournal.com
Exactly, the factoring problem reduces to a secret that only you know. The awesome part is you can actually prove to the world that you know the secret without actually revealing the secret!

I only know of two generally accepted forms of authentication: knowledge of a secret (in many variations) and possession of an object (which many be your body). The idea of authenticating someone based on how the do something is really cool, but I've never seen it actually used. If you've heard of something similar used in practice, I would love to hear about it.

I wonder how consistent people really are and how quickly their skills change. It's like voice recognition: it seems like a great idea, but what if I have a cold?

Date: 2008-12-09 03:21 pm (UTC)
From: [identity profile] rising-moon.livejournal.com
This is the first place I've heard about a "what you can do" authentication method. It sounds intriguing. I wonder if I might be able to register a bunch of unique identifiers with some agency or other, in the event that my ID gets challenged and I some day have to prove what data belongs to me.

That's the next challenge, I suppose: Linking ME to MINE.

but what if I have a cold?

Ah, right. Or a broken finger, or a sore knee, or a momentary bout of forgetting how to play "Danny Boy". (It happens.) This is a good point.

Flat | Top-Level Comments Only

Profile

rising_moon: (Default)
rising_moon
nos golau

Navigation

April 2019

S M T W T F S
 123456
78910111213
14151617 18 1920
21 222324252627
282930    

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Jun. 29th, 2025 04:54 pm
Powered by Dreamwidth Studios